On Mon, Mar 16, 2026 at 7:15 AM Jiakai Xu <[email protected]> wrote: > > When a guest reads a firmware PMU counter via > SBI_EXT_PMU_COUNTER_FW_READ or SBI_EXT_PMU_COUNTER_FW_READ_HI without > first configuring it with SBI_EXT_PMU_COUNTER_CFG_MATCH, the counter's > event_idx remains SBI_PMU_EVENT_IDX_INVALID (0xFFFFFFFF). > > get_event_code() extracts the lower 16 bits from event_idx, yielding > 0xFFFF, which is then used to index into kvpmu->fw_event[]. Since the > fw_event array only contains RISCV_KVM_MAX_FW_CTRS entries, this results > in an out-of-bounds access that can be detected by UBSAN. > > Patch 1 fixes the issue by validating the firmware event code before > accessing the fw_event array and returning -EINVAL for invalid values. > > After fixing the kernel behavior, the existing KVM selftest > (sbi_pmu_test) fails because it attempts to read firmware counters > without configuring them first. Patch 2 updates the selftest to > configure a firmware event before reading the counter and adds a > negative test to ensure that reading an unconfigured firmware counter > fails gracefully. > > Jiakai Xu (2): > RISC-V: KVM: Fix array out-of-bounds in pmu_ctr_read() and > pmu_fw_ctr_read_hi() > RISC-V: KVM: selftests: Fix firmware counter read in sbi_pmu_test > > arch/riscv/kvm/vcpu_pmu.c | 14 +++++++ > .../testing/selftests/kvm/include/riscv/sbi.h | 37 +++++++++++++++++++ > .../selftests/kvm/riscv/sbi_pmu_test.c | 20 +++++++++- > 3 files changed, 70 insertions(+), 1 deletion(-) > > -- > 2.34.1 >
Queued this series for Linux-7.1 Thanks, Anup
